New Data Breach Laws in Australia

Written by: CIBIS, 30 Jan 2018

Australia’s new Data Breach Notification Law comes into effect on February 22nd, 2018.

This means you have around 3 weeks to be ready, but what else does it mean?

If you are not familiar with the new law, it is an amendment to Australia’s existing Privacy Act 1988 (Cth). The amendment is known as “Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth) (Act)”, and it spells out the new reporting regime for handling data breaches, and makes reporting of a breach mandatory in some (most) circumstances.

In particular, it details a number of requirements and outlines the consequences for a failure to comply. Notable among these are:

The first point is an interesting one. It essentially boils down to requiring you to complete an assessment and report within 30 days even when you have reasonable grounds to believe an eligble breach of the entity may not have occurred.

How that assessment is carried out and how the findings are presented are detailed in the Act.

Ignorance has never been an excuse, and is not so here either.

If you are unable to determine if a breach MAY have occurred, contact CIBIS and we can assist with processes and procedures to help you stay aware.

Other aspects of the aspect you should understand and be familiar with include the definitions of an “eligible data breach”, what is an “affected individual”, what is “serious harm”, and who this applies to (>=$3M turnover, plus some others).

In particular, if you operate a business like gyms, weight loss centres, alternative medicine practices, child care centres, private schools/tertiary institutions, it is wise to consider yourself "on notice" and be prepared.

CIBIS can also assist with the mandatory assessment and reporting.

Of course, prevention is better than reporting (or apologising), and CIBIS can also assist here with advice and technologies to minimise your upfront risk.